3 Example Flows - Reference Documentation
Authors:
Version: 2.0-SNAPSHOT
Table of Contents
3 Example Flows
The following examples assume you have followed the steps outlined in the Getting Started section for an application namedoauth2-test and your grails-app/conf/BootStrap.groovy contains the following:def init = { servletContext -> Role roleUser = new Role(authority: 'ROLE_USER').save(flush: true)
User user = new User(
username: 'my-user',
password: 'my-password',
enabled: true,
accountExpired: false,
accountLocked: false,
passwordExpired: false
).save(flush: true)
UserRole.create(user, roleUser, true)
new Client(
clientId: 'my-client',
authorizedGrantTypes: ['authorization_code', 'refresh_token', 'implicit', 'password', 'client_credentials'],
authorities: ['ROLE_CLIENT'],
scopes: ['read', 'write'],
redirectUris: ['http://myredirect.com']
).save(flush: true)
}
After retrieving an access_token via one of the flows, you must include this in the Authorization header when accessing protected resources.
For example, if you receive 7b9a989e-3702-4621-a631-fbd1a996fc94 as the access_token, you will include this in the Authorization header as Bearer 7b9a989e-3702-4621-a631-fbd1a996fc94 when requesting a protected resource.
The examples below are given using CURL tool to make the requests. The plugin is compliant with RFC 6749 when configured properly. Therefore token requests should be made using an HTTP POST and authorization requests should be initiated by the User-Agent with an HTTP GET.
3.1 Authorization Code Grant
The authorization code grant flow is initiated by directing your browser to the authorization endpoint:http://localhost:8080/oauth2-test/oauth/authorize?response_type=code&client_id=my-client&scope=read
You will be redirected to the login page. After signing in, you will be prompted to confirm the request. Doing so will redirect your browser to the following URL:
http://myredirect.com/?code=139R59
The authorization code included in the query can be exchanged for an access token via the token endpoint:
curl -X POST \
-d "client_id=my-client" \
-d "grant_type=authorization_code" \
-d "code=139R59" http://localhost:8080/oauth2-test/oauth/tokenUsing HTTP Basic for client authentication:
curl -X POST -u my-client: \
-d "grant_type=authorization_code" \
-d "code=139R59" http://localhost:8080/oauth2-test/oauth/tokenYou'll receive the access_token in the response:
{
"access_token": "a1ce2915-8d79-4961-8abb-2c6f0fdb4aba",
"token_type": "bearer",
"refresh_token": "6540222d-0fb9-4b01-8d45-7be2bdfb68f9",
"expires_in": 43199,
"scope": "read"
}
3.2 Implicit Grant
The implicit grant is similar to the authorization code grant and can be initiated by directing your browser to the authorization endpoint:http://localhost:8080/oauth2-test/oauth/authorize?response_type=token&client_id=my-client&scope=read
Upon confirmation, your browser will be redirected to the following URL:
http://myredirect.com/#access_token=4e22ad4f-08ae-49dc-befb-2c9821af04d1&token_type=bearer&expires_in=43199
The access_token can be extracted from the URL fragment.
3.3 Resource Owner Password Credentials Grant
The resource owner password grant is performed by requesting an access token from the token endpoint:curl -X POST \
-d "client_id=my-client" \
-d "grant_type=password" \
-d "username=my-user" \
-d "password=my-password" \
-d "scope=read" http://localhost:8080/oauth2-test/oauth/tokenUsing HTTP Basic for client authentication:
curl -X POST -u my-client: \
-d "grant_type=password" \
-d "username=my-user" \
-d "password=my-password" \
-d "scope=read" http://localhost:8080/oauth2-test/oauth/tokenThe access_token is included in the response:
{
"access_token": "1d49fc35-2af6-477e-8fd4-ab0353a4a76f",
"token_type": "bearer",
"refresh_token": "4996ba33-be3f-4555-b3e3-0b094a4e60c0",
"expires_in": 43199,
"scope": "read"
}3.4 Client Credentials Grant
The client credentials grant is performed by authenticating the client via the token endpoint:curl -X POST \
-d "client_id=my-client" \
-d "grant_type=client_credentials" \
-d "scope=read" http://localhost:8080/oauth2-test/oauth/tokenUsing HTTP Basic for client authentication:
curl -X POST -u my-client: \
-d "grant_type=client_credentials" \
-d "scope=read" http://localhost:8080/oauth2-test/oauth/tokenThe access_token can be extracted from the response:
{
"access_token": "7b9a989e-3702-4621-a631-fbd1a996fc94",
"token_type": "bearer",
"expires_in": 43199,
"scope": "read"
}3.5 Refresh Token Grant
The refresh token grant is performed by exchanging a refresh token received during a previous authorization request for an access token from the token endpoint:curl -X POST \
-d "client_id=my-client" \
-d "grant_type=refresh_token" \
-d "refresh_token=269afd46-0b41-45c2-a920-7d5af8a38d56" \
-d "scope=read" http://localhost:8080/oauth2-test/oauth/tokenUsing HTTP Basic for client authentication:
curl -X POST -u my-client: \
-d "grant_type=refresh_token" \
-d "refresh_token=269afd46-0b41-45c2-a920-7d5af8a38d56" \
-d "scope=read" http://localhost:8080/oauth2-test/oauth/tokenThe above assumes that 269afd46-0b41-45c2-a920-7d5af8a38d56 is the value of the refresh token the client had obtained prior to this request.
The access_token is included in the response:
{
"access_token": "a3da52c7-4bd2-4d42-a58d-efa64b4de453",
"token_type": "bearer",
"refresh_token": "6396c283-47ff-41d2-b887-39bde6af5f1e",
"expires_in": 43199,
"scope": "read"
}